Thanks, @Tony and @Hayim. Sounds like you might well have it. We will look into it.
> We've encountered a handful of ISV products over the years that write "RACF" > SMF records Yeah, I have encountered at least one other, actually a homegrown product that writes Type 80 records. Even TSS kind of fits this description. The primary TSS SMF record is Type 80 and is "almost" like what RACF writes -- or rather, like what RACF wrote about twenty or thirty years ago. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Tony Harminc Sent: Tuesday, July 05, 2016 9:54 AM To: [email protected] Subject: Re: Help identifying source of SMF 80 record On 5 July 2016 at 11:43, Charles Mills <[email protected]> wrote: > I am looking at an SMF 80 record from a customer that I am having > trouble making sense of. The customer is definitely a RACF user, not a > TSS user. The customer I believe is on z/OS V2R1. > > It is a valid SMF 80 record. The event.qualifier is 2.0. There are > three relocatable sections: a 49 (User Name) that says "Detection > Status", a 17 (Class name) that says "EK$CLASS" and a 1 (Resource > Name) that says "EKCA.SECURITY.DETECTION". The record is 2959 bytes > long, long for a RACF SMF record. > > So what's odd about it? > > 1. It is missing the RACF version SMF80VRM at offset 80 that was added > to RACF around OS/390 V1R2. That leads me to believe the record was > not produced by RACF. Yup. We've encountered a handful of ISV products over the years that write "RACF" SMF records on their own initiative. None of them is fully "correct", either in that the record itself would never be written by RACF, or that it wouldn't be written in the context it is. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
